Preventing unauthorized users from gaining access to private information, such as credit card numbers, maintained by a networked computer system is of the utmost importance. Unsophisticated attackers with limited resources can be detected and defeated with conventional best-practice security measures, such as use of firewalls and virus detectors, installing and maintaining current software updates, and auditing log data. Sophisticated attackers, however, often use techniques that bypass conventional detection mechanisms and penetrate or bypass firewalls. Worse, coordinated attacks may be launched from multiple machines, e.g., by using one machine for reconnaissance and another for the attack, and may target multiple machines, sometimes within the same department or organization.
Conventional attack correlation systems take a passive approach at stopping unauthorized users or “hackers.” These conventional attack correlation systems log all available information and analyze the logged information to identify attacks. In particular, a network attack correlation system logs information contained in packets addressed to a protected network, such as source addresses, destination addresses, protocol identification (TCP, ICMP, etc.), and other fields like time-to-live (TTL). Generally, an organization the size of a mid-sized university or company may easily accumulate hundreds of gigabytes of data from its routers and firewalls over a few weeks or months. Consequently, conventional approaches may be impractical and ineffective for many organizations.